1 

Rate Compatible Protocol for Information 
Reconciliation: An application to QKD 

David Elkouss, Jesus Martinez-Mateo, Daniel Lancho and Vicente Martin 
Facultad de Informatica, Universidad Politecnica de Madrid, 
Campus de Montegancedo, 28660 Boadilla del Monte (Madrid), Spain, 
e-mail: {delkouss, jmartinez, dlancho, vicente}® fi.upm.es 

Abstract 

Information Reconciliation is a mechanism that allows to weed out the discrepancies between two 
correlated variables. It is an essential component in every key agreement protocol where the key has 
to be transmitted through a noisy channel. The typical case is in the satellite scenario described by 
Maurer in the early 90's. Recently the need has arisen in relation with Quantum Key Distribution (QKD) 
protocols, where it is very important not to reveal unnecessary information in order to maximize the 
shared key length. In this paper we present an information reconciliation protocol based on a rate 
compatible construction of Low Density Parity Check codes. Our protocol improves the efficiency of the 
reconciliation for the whole range of error rates in the discrete variable QKD context. Its adaptabiUty 
together with its low interactivity makes it specially well suited for QKD reconciliation. 

Index Terms 

Reconciliation, low-density parity-check (LDPC) codes, puncturing, shortening, rate-compatible. 

I. Introduction 

The general scenario for information reconciliation is one in which two parties have two sets of 
correlated data with some discrepancies between them. The situation is equivalent to transmit the data 
from one party to the other through a noisy channel, akin in the satellite scenario described by Maurer HI. 

In a Quantum Key Distribution (QKD) protocol, errors are generated in the communications channel 
either by the interaction of the quantum information carrier with the environment, by imperfections in 
the QKD device or by an eavesdropper The two parties participating in the communication, Alice and 
Bob, thus have two sets of correlated data from which a common set must be extracted. This problem has 
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been previously subject to consideration 121, 131, Q, Q, 0. It is a process known as key distillation, 
that requires a discussion carried over an authenticated classical channel. It is interactive in the sense 
that it needs communications through the channel. Since it can also be listened by an eavesdropper, it is 
important to minimize the amount of information that have to be transmitted in the reconciliation process. 
Any extra information limits the performance of the QKD implementation. In theory one could minimize 
the information leakage using a highly interactive protocol, but in practical applications this would lead 
to a prohibitively large communication overhead through the network, limiting also the effective keyrate. 

It is in this scenario where modem Forward Error Correction (FEC) is an interesting solution. The idea 
is to make use of EEC's inherent advantage of requiring a single channel use to reconcile the two sets. 
In ||6l it was analyzed the use of a discrete number of Low-Density Parity-Check (LDPC) codes optimized 
for the binary symmetric channel. As a consequence the efficiency exhibited an staircase-like behaviour: 
each code was used within a range of error rates and the reconciliation efficiency was maximized only 
in the region close to the code's threshold. 

In this work, we develop the idea of using LDPC codes optimized for the binary symmetric channel. We 
take these codes as an starting point and develop a rate compatible information reconciliation protocol 
with an efficiency close to optimal. In particular, the proposed protocol builds codes that minimize 
the exchanged information for error probabilities between 1% and 10%u, the expected values in real 
implementations of QKD systems. 

This solution addresses the rate adaptation problem (open problem 2) from the recent review paper 
of Matsumoto lH in which he lists the problems that an LDPC solution should overcome in order to 
compare advantageously to current interactive reconciliation solutions. 

The paper is organised as follows: In Section |ll] the main ideas are discussed. A new Information 
Reconciliation Protocol able to adapt to different channel parameters is presented and its asymptotic 
behavior discussed. In Section |lll] the results of a practical implementation of the protocol are shown. In 
particular we have analyzed the rate compared to the optimal value and the reconciliation efficiency. 

II. Rate Compatible Information Reconciliation 

Information Reconciliation 

Let X and Y be two of correlated variables belonging to Alice and Bob, and x and y their outcome 
strings. Information Reconciliation |2] is a mechanism that allows them to eliminate the discrepancies 

'The maximum error thresholds for extracting an absolute secret key in a QKD protocol is 11% 171 . 
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Fig. 1. Source coding with side information. 

between x and y and agree on a string ^(x) — with possibly S'(x) = x. 

The problem of information reconciliation can be seen as the source coding problem with side 
information (see Fig. [U. Thus, as shown by Slepian and Wolf f9l, the minimum information / that 
Alice would have to send to Bob in order to help him reconcile Y and X is lopt = ^^(-'^l^)- Taking 
into account that real reconciliation will not be optimal, we use a parameter / > 1 as a quality figure 
for the reconciliation efficiency: 

Ireal = fH{X\Y) > hpt (1) 

Here we will concentrate on binary variables, which apply to discrete variable QKD, although the 
ideas are directly applicable to other scenarios. 

The most widely used protocol for information reconciliation in QKD is Cascade 121, because of its 
simplicity and good efficiency. Cascade is a highly interactive protocol that runs for a certain number of 
passes. In each pass, Alice and Bob both perform the same permutation on their respective strings, divide 
them in blocks of the same size and exchange the parities of the blocks. Whenever there is a mismatch 
they perform a dichotomic search to find an error, finding one usually means discovering more errors 
left in previous passes. 

The main handicap of Cascade is its high interactivity. Buttler et al ifTOl proposed Winnow, a reconci- 
liation protocol where instead of exchanging block parities, Alice and Bob exchange the syndrome of a 
Hamming code. Their protocol succeeded in reducing the interactivity but, in the error range of interest 
for QKD, the efficiency was worse than that of Cascade. 

There has been further work on improving the efficiency of Cascade-like protocols. In ifTTI the block 
size is optimized, while in |[T2ll the emphasis is put on minimizing the information sent to correct one 
error on each pass. 
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Definitions 

LDPC codes were introduced by Gallager in the early 60's |[T3l . They are Unear codes with a sparse 
parity check matrix. 

A family of LDPC codes is defined by two generating polynomials |[T4l . \{x) and p{x): 

x{x) = J2 ; p(^) = E p^^'~' (2) 

i=2 j=2 

where A(x) and p{x) define degree distributions. Aj and pi indicate the proportion (normalized to 1) of 
edges connected to symbol and check nodes of degree i, respectively. The rate i?o of the family of LDPC 
codes is defined as: 

Ro = l- (3) 

Two common strategies to adapt the rate to the channel parameters are puncturing and shortening (151 . 
Puncturing means deleting a predefined set of p symbols from each word, converting a [n,k] code into 
a [n — p, k] code. Shortening means deleting a set of s symbols from the encoding process, converting 
a [n,k] code into a [n — s,k — s] code. Both processes allow to modulate the rate of the code as: 

R= "^"-^ = (4) 
1 — vr — o" n — p — s 

where vr and a represent the ratios of information punctured and shortened respectively, and Rq is the 
rate of the initial code (see Fig. |2] for an example). 

The protocol 

Standard puncturing and shortening need an a priori knowledge about the channel in order to adapt 
the rate. The Bit Error Rate (BER) in the case of QKD protocols is an a priori unknown value, hence 
it is important to be able to construct codes that can adapt to the varying BER values that might appear 
during a QKD transmission. In order to cope with this, we propose an inverse puncturing and shortening 
protocol, that is performed after the distribution of the correlated variables. 

The protocol assumes the existence of a shared pool of codes of length n, adjusted for different rates. 
Depending on the range of crossover probabilities to be corrected, a parameter 5 is chosen to set the 
proportion of bits to be either shortened {a) or punctured (vr; 5 = vr + a). 6 defines the achievable rates, 
R, through: 
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Fig. 2. Example of puncturing and shiortening applied to a code represented by a Tanner graph. The rate of the original code 
is R — {n~ m)/n = (8 — 4)/8 = 1/2. After puncturing two symbol nodes (indicated in the graph with dashed lines) the new 
rate is increased to R= (8 — 4)/ (8 — 2) — 2/3. Shortening one symbol of the original code (indicated with thick solid lines) 
leads to a new rate of _R = ((8 — 1) — 4)/(8 — 1) = 3/7. Puncturing two symbols and shortening one the original code leads 
to a rate of R = ((8 - 1) - 4)/(8 - 2 - 1) = 3/5. 
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Fig. 3. Protocol sequence diagram. 



with Rq being the rate of the code selected from the pool. For an [n, k] code this would mean n ■ vr bits 
punctured, n ■ a bits shortened and n- {1 — 6) bits transmitted over the BSC (see Fig. H]). The number of 
symbols not to be sent is d = [(5 • nj . 

The protocol goes through the following steps: 

Step 1: Alice sends to Bob a message x, an instance of variable X, of size i = n — d through a BSC 
of crossover probability p (or a black box behaving as such). Bob receives the correlated message, y. 
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Step 2: Bob chooses randomly t bits of y, m(y), and sends them and their positions, pos{y), to Alice. 
Step 3: Using pos(y), Alice extracts m(x) and estimates the crossover probability: 

* m(x) + m(y) 
P = ^ (6) 

Once Alice has estimated p*, she knows the theoretical rate for a punctured and shortened code able 
to correct the string. Now she must decide what is the optimal rate corresponding to the efficiency of 
the code she is using: R = 1 — f{p*)h{p*); where h is the binary entropy function and / the efficiency 
(e.g. Tab. Hi. Then she can derive the optimal values for s and p: 



s = \{Rq - R{1 - d/n)) ■ n\ 

(7) 

p = d — s 

Alice creates now a string x+ = (/(x, Up. , vTp. ) of size n. The function g defines the n — d positions are 
going to have the values of string x, the p positions that are going to be assigned random values, and the 
s positions that are going to have values known by Alice and Bob. The set oin — d positions, the set of p 
positions and the set of s positions and their values come from a synchronized pseudo-random generator. 
She then sends s(x+), the syndrome of x+, to Bob as well as the estimated crossover probability p*. 

Step 4: Bob can reproduce Alice's estimation of the optimal rate R, the positions of the p punctured 
bits, and the positions and values of the s shortened bits, and then he creates the corresponding string 

y+ = s'(y,<7p.,7rp.). 

Bob should now be able to decode Alice's codeword with high probability, as the rate has been 
adapted to the channel crossover probability. He finally sends an acknowledge to Alice to indicate if he 
successfully recovered x+. 

Example: Calculation of s and p for step 3. Alice and Bob use a [10*^, 5 X 10^] code, d = 10^ and they 
have found out that the efficiency of their reconciliation behaves as f{p) = 1.1 + |p — 0.1|. When Alice 
estimates the discrepancy, she finds that p* = 0.08. If the code were optimal, it would have been designed 
with a rate R=l- /(0.08)/i(0.08) = 1 - (1.12)(0.402) = 0.55. Then she obtains s = 2.25 x 10^ and 
p = 2.75 X 10^ 

In the case in which the protocol is used to reconcile secret keys, several modifications have to be 
done. In step 1 the size should be increased hy t, i = n — d + 1. In step 2, Bob should discard from his 
string, X, the t bits that have been pubhshed. Finally, in step 3, Alice should also discard the t pubhshed 
bits from hers. 
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Fig. 4. Channel model. The protocol described can be interpreted as a communication through three channels with different 
probabilities; a noiseless channel with probability a, a BEC(l) with probability tt, and a BSC(p) with probability 1 — 5. 



Performance analysis 

We are first interested in the range of rates in which the protocol can be used and the expected efficiency 
if the codes are long enough. The threshold value is calculated using the density evolution algorithm llT4l . 
and in particular we have implemented the discretized version of Chung et al [16]. The equation used to 
track the evolution of the density function is: 

P^'^=p(p«o*A(p1'))) (8) 

where p"u is the probability mass function at the symbols during iteration I, and p„„ is the initial message 
density distribution, which in our case is: 

Pu,{x) = (1 - 5)plf{x) + ^Ao(x) + (tAoo(x) (9) 

where p^^^{x) = pA_iog_p_(2;) + (1 - p)A_i^gi^ (x), and At(x) = 5dirac(2; - t). 

On Fig. [5] we track the evolution of the threshold for the code with rate one half in 1*61, it can be 
observed how different values of 5 offer a tradeoff between the range of rates achievable and the efficiency. 

In |[T4l it is presented a condition for decoding stability: 
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A'(0)p'(l) < 4r (10) 



where e is defined as: 



5R 



Pu,{x)e-'''^dx (11) 



operating: 



A2 < ^ (12) 

(2v^(r^(i-5) + ^)p'(i) 

which imposes a limitation when choosing a code: it has to be stable for the whole range of rates in 
which it will be used. A code with A2 close to the stability limit for Rq can become unstable for for 
high values of vr. 

III. Simulation Results 

In order to understand the behavior of the protocol described in section JIJ we analyze the rate compared 
to the optimal value. 

The family of LDPC codes used in our simulations have been obtained from ||6l and the Tanner 
graphs have been constructed using a modified Progressive Edge-Growth (PEG) algorithm lITTl . This 
improved PEG construction is based on the original [18|, but it also takes into account p{x), the check 
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BER 

Fig. 6. Rate achieved over a BSC witii S e {0.1, 0.25, 0.5}. 

distribution polynomial. We have used a single code of length n = 200.000, a reasonable lower bound 
of the expected length in QKD transmission. Bigger n values would improve the performance of the 
protocol (by increasing the reconciliation efficiency). The rate is one half, that allows to cover all range 
of expected BERs. Simulations have been done with an LDPC decoder based on belief propagation, with 
a maximum number of 2000 iterations per simulation. The LDPC decoder has been modified to work 
with puncturing and shortening, adding two new log-likelihood ratios for the initialization of puncturing, 
7p = 0, and shortening, 7^ = 00, respectively. The points in the different figures have p^n < 10^®. 

In Fig. [6] we present the maximum BER reached over a BSC with the rates going from R = 0.5 to 0.7 
using different values of the 6 parameter to regulate the puncturing and shortening. The strong dependence 
of the rate with parameter 6 is clearly seen. This figure shows the rate achievable for 6 G {0.1, 0.25, 0.5}, 
and it is compared with the rate achieved by the code in the case that it were only punctured and with 
the Shannon limit. These results highlight that, once the reconciliation problem has been characterized 
and it is known the range of possible error rates, 6 should be chosen as small as possible. If 6 is found 
to be too big, then it should be considered enlarging the pool with codes that cover different rates. This 
behaviour can be more clearly seen in the enlarged figure (Fig. |7]) displaying the rate range from R = 0.5 
to 0.55. The minimum value of 6 that allows to cover the entire interval is 6 = 0.1. For this value the 
decoding performance is similar to |6]. However, with this protocol we are able to reconcile a continuum 
of crossover probabilities. For the other values of 5, the performance is worse, however it should be noted 
that carefully choosing which symbols should be punctured and which ones shortened could improve on 
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Fig. 8. Reconciliation efficiency calculated from Eq. [T] 



these results lfT9l. l[20l. l[2ll. 

Looking at Table U we can see the effect of the protocol on the efficiency of the reconciliation. When 
close enough to Rq it is close to one, and for small enough 6 values it remains close to one for the whole 
set of rates, which is not the case for the higher 6 values as expected by the thresholds found in Fig. |5] 
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Efficiency calculated from Eq.[T] 
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"Rate after puncturing and shortening. 
''Maximum bit error rate corrected. 

'Corresponding efficiency for random puncturing and shortening. 

IV. Conclusion 

We have demonstrated how to adapt an LDPC code for rate compatibility. The capability to adapt to 
different error rates while minimizing the amount of published information is an important feature for 
QKD key reconciliation. The present protocol alows to reach efficiencies close to one while limiting the 
information leakage and having the important practical advantage of low interactivity. 

Future work will concentrate on the optimization of the puncturing and shortening processes, now 
done randomly. 
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